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DETAILED ACTION 

1. Claims 1-27 are pending. 

Response to Arguments 

2. In view of the Appeal Brief filed on 6/22/2010, PROSECUTION IS HEREBY 
REOPENED. New grounds of rejection are set forth below. 

To avoid abandonment of the application, appellant must exercise one of the 
following two options: 

(1 ) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply 
under 37 CFR 1.113 (if this Office action is final); or, 

(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41 .31 followed 
by an appeal brief under 37 CFR 41 .37. The previously paid notice of appeal fee and 
appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth 
in 37 CFR 41 .20 have been increased since they were previously paid, then appellant 
must pay the difference between the increased fees and the amount previously paid. 

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by 
signing below. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1-27 have been considered but are 
moot in view of the new ground(s) of rejection. 
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Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

5. Claims 1 , 2, 4-27 are rejected under 35 U.S.C. 1 02(e) as being anticipated by 
Kunzinger (Pub No: 2002/0091921). 



As to claim 1, Kunzinger teaches a method for secure forwarding of a message from a 
first computer to a second computer via an intermediate computer in a 
telecommunication network (Kunzinger, [0047] L1-13, end to end data sending via an 
intermediate gateway using secure tunnels), comprising: the first computer and the 
second computer negotiating and exchanging keys according to a key exchange 
protocol to establish a secure connection between the first computer and the second 
computer via the intermediate computer (Kunzinger, [0067] and [0068], the client 
establishes a secure connection to the endpoint via cascaded tunnels and the gateway 
using the IPSec and internet key exchange policy), the secure connection having a 
source address of the first computer as a first end point and a destination address of the 
second computer as a second end point of the secure connection (Kunzinger, [0013] , 
the IPSec packet has an inner header with the source and destination addresses), in 
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the first computer, forming a secure message by giving the secure message a first 
unique identity and a first destination address to the intermediate computer, (Kunzinger, 
[0068] L1-3, the key is the id and [0013] the outer header has the address of the 
endpoint of the tunnel, i.e. gateway), sending the secure message from the first 
computer to the intermediate computer, the intermediate computer receiving the secure 
message (Kunzinger, [0068] L1-3, the message is sent from the client and received by 
the gateway) and performing a translation by using the first unique identity to find a 
second destination address to the second computer , the intermediate computer 
substituting the first destination address with the second destination address to the 
second computer, the intermediate computer substituting the first unique identity with a 
second unique identity of the secure connection without establishing a new secure 
connection and without involving the second computer (Kunzinger [0074] the gateway 
uses tables and id to translate the packet into a corresponding tunnel and the data is 
then forwarded/send the over the second tunnel and [0013] the new packet has the 
address of the second computer), and the intermediate computer forwarding the secure 
message with the second destination address and the second unique identity to the 
second computer in the secure connection (Kunzinger, [0074] forwarding the IPSec 
datagram and [0013] and [0068] the id and address are in the packet of data). 

As to claim 2, Kunzinger teaches wherein the method further comprises forming the 
secure message by using an IPSec connection between the first computer and the 
second computer (Kunzinger, [0067], IPSec protection). 
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As to claim 4, Kunzinger teaches wherein the method further comprises manually 
performing a preceding distribution of keys to components for forming the IPSec 
connection (Kunzinger, [0067], IKE is used to for the IPSec connection). 

As to claim 5, Kunzinger teaches wherein the method further comprises performing a 
preceding distribution of keys for forming the IPSec connection by an automated key 
exchange protocol (Kunzinger, [0067], IKE is used to for the IPSec connection). 

As to claim 6, Kunzinger teaches wherein the method further comprises performing the 
automated key exchange protocol used for the preceding distribution of keys for forming 
the IP Sec connection by means of a modified IKE key exchange protocol between the 
first computer and the intermediate computer (Kunzinger, [0067], using phase2 IKE 
exchange between the client and gateway, this is a modified protocol because the table 
at the gateway modifies the IKE packets and inserts a new address automatically) and 
by means of a standard IKE key exchange protocol between the intermediate computer 
and the second computer (Kunzinger, [0069] using IKE between gateway and server). 

As to claim 7, Kunzinger teaches wherein the method further comprises sending the 
message that is sent from the first computer as a packet that contains message data, 
an inner IP header containing the actual sender and receiver addresses, an outer IP 
header containing the addresses of the first computer and the intermediate computer, 
the unique identity (Kunzinger, [0013], inner and outer headers and negotiated security 
association). 
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As to claim 8, Kunzinger teaches wherein the method further comprises the IPSec 
connection being one or more security associations (SA) and the unique identity being 
one or more SPI values(Kunzinger, [0067], setting up the IPSec SA and the values are 
SPI values). 

As to claim 9, Kunzinger teaches wherein the method further comprises performing the 
matching by using a translation table stored at the intermediate computer (Kunzinger, 
[0066], the databases are the translation tables). 

As to claim 10, Kunzinger teaches wherein the method further comprises changing 
both the address and the SPI-value by the intermediate computer (Kunzinger, [0074], 
the address is changed to point to the tunnel and the ID(SPI) is changed, the SPI is the 
ID that is exchanged for indexing). 

As to claim 11, Kunzinger teaches wherein the method further comprises the first 
computer being a mobile terminal (Kunzinger, [0038], the workstations communicate 
over a wireless cellular network) so that the mobility is enabled by modifying the 
translation table at the intermediate computer (Kunzinger, [0067] L13-17, the SAD on 
the gateway is modified with IKE value). 

As to claim 12, Kunzinger teaches wherein the method further comprises performing 
the modification of the translation tables by sending a request for registration of the new 
address from the first computer to the intermediate computer (Kunzinger, [0062], the 
client is the IKE initiator with negotiations with the gateway). 
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As to claim 13, Kunzinger teaches wherein the method further comprises sending a 
reply to the request for registration from the intermediate computer to the first computer 
(Kunzinger, [0063], the gateway is the IKE responder to the client in the IKE 
negotiations). 

As to claim 14, Kunzinger teaches wherein the method further comprises 
authenticating or encrypting by IPSec the request for registration and/or reply 
(Kunzinger, [0067], authenticating IPSec). 

As to claim 15, Kunzinger teaches wherein the method further comprises establishing 
the key distribution for the secure connections by establishing an IKE protocol 
translation table, and using the translation table to modify IP addresses and cookie 
values of IKE packets in the intermediate computer (Kunzinger [0074] the gateway uses 
tables and id to translate the packet into a corresponding tunnel and [0066]-[0067], the 
IKE protocol addresses, etc are stored in the SAD tables). 

As to claim 16, Kunzinger teaches wherein the method further comprises establishing 
the key exchange distribution by: generating an initiator cookie and sending a zero 
responder cookie to the second computer, generating a responder cookie in the second 
computer (Kunzinger, [0064] [0065] and [0067], the gateway is the initiator and the 
server is the responder in the IKE negotiations. [0069] shows an example of IKE 
negotiations the IDCi and IDCr values are set), establishing a mapping between IP 
addresses and IKE cookie values in the intermediate computer, and using the 
translation table to modify IKE packets in flight by modifying the external IP addresses 
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and possibly IKE cookies of the IKE packets (Kunzinger [0074] the gateway uses tables 
and id to translate the packet into a corresponding tunnel and [0066]-[0067], the IKE 
protocol addresses, etc are stored in the SAD tables). 

As to claim 17, Kunzinger teaches wherein the method further comprises modifying a 
modified IKE protocol between the first computer and the intermediate computer by 
transmitting the IKE keys from the first computer to the intermediate computer in order 
to decrypt and modify IKE packets (Kunzinger, [0067], using phase2 IKE exchange 
between the client and gateway, this is a modified protocol because the table at the 
gateway modifies the IKE packets and inserts a new address automatically). 

As to claim 18, Kunzinger teaches wherein the method further comprises carrying out 
in a modified IKE protocol between the first computer and the intermediate computer the 
modification of the IKE packets by the first computer with the intermediate computer 
requesting such modifications (Kunzinger, [0067], using phase2 IKE exchange between 
the client and gateway, this is a modified protocol because the table at the gateway 
modifies the IKE packets and inserts a new address automatically). 

As to claim 19, Kunzinger teaches wherein the method further comprises defining the 
address so that the first computer is identified for the second computer by the 
intermediate computer by means of an IP address taken from a pool of user IP 
addresses when forming the translation table (Kunzinger [0074] the gateway uses 
tables and id to translate the packet into a corresponding tunnel and the data is then 
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forwarded/send the over the second tunnel and [0013] the new packet has the address 
of the second computer). 

As to claim 20, Kunzinger teaches wherein the method further comprises sending the 
secure message by using an IPSec transport mode (Kunzinger, [0075] L12-15, IPSec 
operates in transport mode). 

As to claim 21, Kunzinger teaches wherein the method further comprises sending the 
secure message by using an IPSec tunnel mode (Kunzinger, [0075] L12-15, IPSec 
operates in tunnel mode). 

As to claim 22, Kunzinger teaches a telecommunication network for secure forwarding 
of messages (Kunzinger, [0047] L1-13, end to end data sending via an intermediate 
gateway using secure tunnels), comprising: a first computer, a second computer and an 
intermediate computer, means for negotiating and exchanging keys, according to a key 
exchange protocol, between the first computer and the second computer to establish a 
security association having a source address of the first computer as a first end point 
and a destination address of the second computer as a second end point (Kunzinger, 
[0067] and [0068], the client establishes a secure connection to the endpoint via 
cascaded tunnels and the gateway using the IPSec and internet key exchange policy), 
the first and the second computers having means for performing an IPSec processing, 
the intermediate computer having translation means for using translation tables to 
perform IPSec and IKE translation and for changing a destination address of the 
intermediate computer of a secure message to a destination address of the second 
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computer (Kunzinger [0074] the gateway uses tables and id to translate the packet into 
a corresponding tunnel (IKE/IPSec) and the data is then forwarded/send the over the 
second tunnel and [0013] the new packet has the address of the second computer), and 
the intermediate computer having means for forwarding the secure message received 
from the first computer to the second computer in the security association (Kunzinger, 
[0074] forwarding the IPSec datagram and [0013] and [0068] the id and address are in 
the packet of data) . 

As to claim 23, Kunzinger teaches wherein the translation table for IPSec translation 
has IP addresses of the intermediate computer to be matched with IP addresses of the 
second computer (Kunzinger [0074] the gateway uses tables and id to translate the 
packet into a corresponding tunnel and the data is then forwarded/send the over the 
second tunnel and [0013] the new packet has the address of the second computer). 
As to claim 24, Kunzinger teaches wherein the translation tables for IKE translation 
consists of two partitions, one for the communication between the first computer and the 
intermediate computer and another for the communication between the intermediate 
computer and the second computer (Kunzinger, [0066] L1-10, each set of interfaces has 
its own databases). 

As to claim 25, Kunzinger teaches wherein both partitions of the mapping table for IKE 
translation contains translation fields for a source IP address, a destination IP address 
(Kunzinger, [0067] IKE tables have the addresses for endpoint association), initiator and 
responder cookies between respective computers (Kunzinger, [0067], IDci and IDcr 
values). 
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As to claim 26, Kunzinger teaches wherein there is another translation table for IKE 
translation containing fields for matching a given user to a given computer (Kunzinger, 
[0066], association for a user to an endpoint). 

As to claim 27, Kunzinger teaches a telecommunication network for secure forwarding 
of messages (Kunzinger, [0047] L1-13, end to end data sending via an intermediate 
gateway using secure tunnels), comprising: a first computer, a second computer, an 
intermediate computer electronically connected to the first computer and the second 
computer, means for negotiating and exchanging keys between the first computer and 
the second computer to establish a secure connection having a source address of the 
first computer as a first end point and a destination address of the second computer as 
a second end point (Kunzinger, [0067] and [0068], the client establishes a secure 
connection to the endpoint via cascaded tunnels and the gateway using the IPSec and 
internet key exchange policy), and the intermediate computer having means for 
performing translation between destination addresses and secure identities (Kunzinger 
[0074] the gateway uses tables and id to translate the packet into a corresponding 
tunnel and the data is then forwarded/send the over the second tunnel and [0013] the 
new packet has the address of the second computer) for forwarding secure messages 
received from the first computer to the second computer in the secure connection 
(Kunzinger, [0074] forwarding the IPSec datagram and [0013] and [0068] the id and 
address are in the packet of data). 
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Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claim 3 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kunzinger 
as applied to claim 1 above, and further in view of Patel ( Pub No: 2002/0004900). 

As to claim 3, Kunzinger teaches the limitations of claim 1 . Kunzinger does not teach 
wherein the method further comprises performing a secure forwarding of the message 
by making use of SSL or TLS protocols. Patel teaches wherein the method further 
comprises performing a secure forwarding of the message by making use of SSL or 
TLS protocols (Patel, [0037] L18-21 , SSL for secure connection). It would have been 
obvious to one of ordinary skill in the art at the time of invention to combine the 
teachings of Kunzinger with Patel to use SSL for the secure connection because Patel 
teaches that SSL is a well know protocol for a secure connection that can be used like 
IPSec. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to AFSHAWN TOWFIGHI whose telephone number is 
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(571)270-7296. The examiner can normally be reached on Monday - Friday 8:00 A.M. 
to 5:00 P.M.. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Joseph E. Avellino can be reached on (571)272-3905. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Joseph E. Avellino/ 

Supervisory Patent Examiner, Art Unit 2458 



